Ghost Circuit is an independent security research collective. We tear down firmware, probe silicon, and follow the signals that connected devices would rather keep quiet — then we disclose, vendor-first.
Latest research
The over-the-air update channel on Halberd SoilSense controllers accepts older signed firmware images without anti-rollback enforcement, letting a network-adjacent attacker reintroduce patched vulnerabilities and seize persistent control of irrigation logic.
BoltLink Pro deadbolts derive their per-session BLE encryption key from a 16-bit pairing nonce seeded by the device uptime counter, collapsing the effective keyspace and enabling a proximity replay attack.
A single crafted Modbus/TCP frame fans out into hundreds of register writes on downstream serial PLCs, letting a low-bandwidth attacker stall a control loop and trip safety interlocks.
A populated, unauthenticated UART header on the RoadEye 5 mainboard drops straight to a root shell, exposing fleet credentials and recorded footage to anyone with brief physical access.
Research disciplines
Four practice areas, one method: understand the system completely, find where trust breaks, prove it, and help close the gap.
Static and dynamic analysis of embedded firmware, secure-boot review, and OTA update-channel auditing on ARM and RISC-V targets.
Board-level reverse engineering, debug-interface recovery, glitch and fault injection, and power side-channel evaluation.
BLE, Zigbee, LoRa, and proprietary RF analysis, plus Modbus, CAN, and other industrial protocol fuzzing.
Safety-aware assessment of PLCs, protocol gateways, and field controllers with coordinated, vendor-first disclosure.
How disclosure works
We acquire devices on the open market and analyze them in isolation — never against live, third-party infrastructure.
Every finding is reproduced end to end and reduced to a minimal proof of concept before a single line is written.
We contact the vendor's security team with full technical detail and a 90-day disclosure window.
Once a fix ships — or the window closes — we release the advisory with remediation guidance.
Coordinated disclosure
We coordinate with vendors, researchers, and CERTs worldwide. Reach out through an encrypted channel and we will respond within 72 hours.